Ideally we will see NextHop Status: UP with respective keep-alive counters KA sent: and KA got: greater than 0 (zero). This traffic matches IPSec tunnel WSS_Tunnel_2 configured above.ġ) Select existing PBF rule WSS_OverIPsec_1, click on Forwarding tab.ģ) Select Monitor Profile the same as IPSec tunnel WSS_Tunnel_2 Monitor ProfileĤ) Select 'Disable this rule if nexthop/monitor ip is unreachable'ĥ) Specify IP Address 199.19.248.164 (this is Symantec datacenter IP)Ħ) Click OK to close all the dialog window, follow by CommitĪfter configuration commit, we can check PBF monitoring status from CLI: Policy based forwarding rule is not applied when the monitoring host is unreachable In this example, PBF keep-alive will be sent from tunnel.1 interface ( 192.168.1.254) to destination 199.19.248.164. Palo Alto Networks firewall will send a keep-alive using Egress Interface IP as the source address. This indicates Tunnel Monitoring is working.Īfter successfully configuring Tunnel Monitoring, we can configure PBF rule monitoring under Policies > Policy Based Forwarding. Ideally we will see monitor: on and monitor status: up with respective monitor counters.
Palo alto networks vpn tunnel monitor how to#
To check Tunnel Monitoring status from CLI, see this article: How to Verify if IPSec Tunnel Monitoring is Working – Click OK to close all the dialog window, follow by CommitĪfter configuring commit, we should see a new tunnel WSS_Tunnel_2 interface status is UP (Green). – Click Proxy IDs tab > Add > WSS_Tunnel_2_proxy – Enter Destination IP 199.19.248.164 (this is Symantec datacenter IP) To be able to properly monitor the IPSec tunnel, we need to create a new IPSec tunnel with the following parameters: 90), we can only specify one Proxy ID for WSS Tunnel configuration. The existing IPSec tunnel WSS_Tunnel_1 is configured with Local Proxy ID 10.1.1.0/24. Palo Alto Networks firewall will send keep-alive using tunnel interface IP as the source address. To monitor the IPSec tunnel, we need to enable Tunnel Monitor properties in IPSec Tunnel configuration under Network > IPSec Tunnels > tunnel_name. – Necessary security policy rule to allow HTTP traffic from trust zone to WSS_tunnel zoneĪssuming that both Palo Alto Networks firewall and Symantec WSS admin console are properly configured, we should see Tunnel Interface Status is UP (Green) under Network > IPSec Tunnels – PBF rule: WSS_OverIPsec_1 with Egress Interface tunnel.1 – IPSec tunnel: WSS_Tunnel_1 with Local Proxy ID 10.1.1.0/24 (to match Local site network above) – IKE gateway: WSS_IKE_Gateway_1 with Peer IP 199.19.248.164 (this is Symantec datacenter IP) – Tunnel interface: tunnel.1 with IP address 192.168.1.254/32 (firewall zone: WSS_tunnel)
In this example, we are using the following parameters